Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Search group by parameter

zservati
Explorer
‎01-31-2012 11:27 AM

I am trying to perform a search and using regx and parameter can summarize the result based on two categories which are filing-type and application ( see in bold below). My data looks as listed below for each filing record I have one event in the raw data now I need to get a count for each filing-type and application and the result output should be:

Filing-type Application Count
IRS-941-Payment QUICKBOOKS-DIY 1
SSA-W3-FILING QUICKBOOKS-DIY 1

The basic search perform to get the results below is :

index=efepr Filing was routed from FILING-PROCESSOR RECEIVED

==== Search result

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

Tags (2)
Reply

hexx
Splunk Employee
Splunk Employee
‎01-31-2012 12:48 PM

Update: Now with in-line field extractions.

Provided that you have successfully extracted the fields "filing-type" (note that Splunk will flatten the dash in that field name to an underscore) and "application", it seems that you are looking for a search like this one :

index=efepr <additional search terms> | rex "\{(?<filing_type>[^,]*?),(?<filing_recipient>[^,]*?),(?<application>[^,]*?),(?<filing_date>[^,]*?),(?<filing_status>[^\}]*?)\}" | stats count by filing_type, application
0 Karma
Reply

zservati
Explorer
‎02-01-2012 01:47 PM

What listed below is the result of the search basically we log this for each filing. Below is a sample what the search returns for two filing records.

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎02-01-2012 10:22 AM

To help you with that, we'll need to see a couple of sample events.

0 Karma
Reply

zservati
Explorer
‎02-01-2012 09:49 AM

Extracting Filing Type and Application is what I'm struggling for so could you please let me know how I can extract these fields and assign it to two parameters Filing_type and Application, which then as you pointed out I can use stats to group them.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...